Last modified: August 22, 2025
This authentication guide pertains to legacy public apps. For an overview of authentication for apps built on the new developer platform, check out this article instead.
There are two ways to authenticate calls to HubSpot’s APIs: OAuth, and private app access tokens. Below, learn more about each method and how to include it in your code for authorization.
Please note:Integrations designed for multi-customer use or listing on the App Marketplace must be built as an app using HubSpot’s OAuth protocol

OAuth

To make a request using OAuth when building a public app, include the OAuth access token in the authorization header: 
/~curl --header "Authorization: Bearer C4d***sVq"
https://api.hubapi.com/crm/v3/objects/contacts?limit=10&archived=false

Private app access tokens

Similar to OAuth, to make a request using a private app access token, include the token in the authorization header: 
/~curl --header "Authorization: Bearer ***-***-*********-****-****-****-************"
https://api.hubapi.com/crm/v3/objects/contacts?limit=10&archived=false

Automatic token deactivation

To protect developers from potential security incidents, HubSpot leverages the monitoring and secret scanning capabilities provided by GitHub to detect any HubSpot authentication tokens that are publicly exposed in GitHub repositories. Any detected tokens will automatically be deactivated, and you will be notified via email and in-app notification so you can generate a new token and update your integrations to replace the revoked token.
revoked-access-token-in-app-banner
The affected key and token types are listed below:

Working with OAuth

OAuth Quickstart Guide

Private Apps